Audit finds ex-workers had access to state computers

The Auditors of Public Accounts, in a report issued Friday, said the DRS is failing to follow its own procedures -- and those ordered in recent years by Gov. M. Jodi Rell -- to secure sensitive data.

The report comes at a time when the DRS is the target of sharp criticism after an employee allowed an agency laptop computer, containing information on 106,000 state taxpayers, to be stolen from an apparently unlocked car at a Long Island hotel during the summer.

Auditor Robert G. Jaekle said Friday that the DRS is only one of "several" state agencies that have failed to remove the computer access of terminated and voluntarily separated employees.

The audit for the two-year period ending June 30, 2006, found more than half of former employees -- 10 of 17 cases surveyed -- retained access to one or more "critical" systems.

Jaekle warned of the potential for former employees to vent dissatisfaction on the department's system.

"It only takes one disgruntled employee with pretty good computer skills to, at the very least, cause some mischief for the state of Connecticut by inappropriately accessing and using system data after they've been discharged," Jaekle said.

"The potential for some hard feelings are there, and that's why these basic questions should be addressed."

The DRS on Friday disputed many of the audit findings, stressing it does cut off computer access in a timely manner following the departure of agency employees. A spokesman for the department said the audit study is "misleading" about exit interview procedures.

The 37-page auditors' report said in 15 of 17 cases examined, the employees were separated without a required exit interview process, and that mandatory interviews with an ethics liaison officer were never conducted.

"There was supposed to be a checklist for terminated employees," Jaekle said. "There have also been new ethics rules over the last few years. In this case there was no checklist on file, and the ethics officer did not conduct exit interviews."

Employees on the threshold of separation from state employment are supposed to hand in ID badges, keys to doors, and card keys to restricted areas, and have their computer passwords and user names deleted.

"A lot of the safeguards ... that prevent unauthorized access to buildings' hardware (and) data on computers should all be taken care of on separation," Jaekle said.

He recalled that in several agencies in recent years, his staff has found similar problems with the timely termination of computer access.

Of the 30 user-identification codes sampled, auditors found three separated Core-CT employees still had active computer sign-ons.

"This was right in the heart of the centralized computer program," said Jaekle, who coincidentally was among the 106,000 state residents whose personal information was on the missing DRS laptop.

One way to prevent access invasion is to upgrade encryption software, Jaekle said. Another, more obvious, solution is for departments such as the DRS to follow the governor's security directive and the agency's own procedures.

"Our recommendation is to follow good business practices when dealing with employees leaving voluntarily or involuntarily, including the disabling of access to the computer system that might have confidential or sensitive data in it," Jaekle said. "When an employee leaves agency service, all their employee rights should end."

Overall, Jaekle said that the two-year DRS audit, which contained 13 areas for improvement, found no evidence of "material or significant" weaknesses.

"We try to point out where agencies aren't meeting the letter of the law and their own operation standards and controls," Jaekle said, pointing to the computer-access issue. "These are areas where potentially some harm can occur."

Sarah Kaufman, spokeswoman for the DRS, said Friday that there are exit procedures.

"While we agree with some of the findings, such as our exit liaison officer was not included in exit interviews, we have taken steps to remedy that," Kaufman said.

"We believe that the report incorrectly suggests that DRS did not have an exit process in place to ensure proper notification when employees were separated or terminated," she said, adding that the agency has had the protocol for 15 years and updated it in May 2006.

"We feel that we are properly notifying specific areas of the agency when an employee is separated or terminated," Kaufman said.

"Some of the steps include notifying our information systems development when an employee has been terminated, so they can eliminate their access to the legacy processing system, e-mail, etc."